Legal claims defining the scope of protection. Each claim is shown in both the original legal language and a plain English translation.
1. A method for controlling data access, comprising: storing, in a memory of a data storage device of a computing system, a plurality of data access rules, wherein each data access rule specifies (i) one or more data files, or (ii) a sector/block range of the data storage device and includes a first authentication factor, a second authentication factor, and a time range; receiving, by a receiver of a host controller of the data storage device, a data action request from a host device in the computing system, the data action request including a data command and an affected data item; identifying, by the host controller, an applicable data access rule based on the affected data item as matching the one or more data files included in the applicable data access rule or being stored in the sector/block range included in the applicable data access rule; transmitting, by a transmitter of the host controller, a first request for authentication using the first authentication factor in the applicable data access rule; transmitting, by the transmitter of the host controller, a second request for authentication using the second authentication factor in the applicable data access rule; receiving, by the receiver of the host controller, a first response to the first request for authentication indicating successful authentication and a second response to the second request for authentication indicating successful authentication; determining, by the host controller, compliance with the applicable data access rule based on the received first response, the received second response, and receipt of the data action request during the time range included in the applicable data access rule; and executing, by the host controller, the data command included in the data action request.
This invention relates to a method for controlling data access in a computing system, addressing the need for secure and granular access management to data files or storage sectors/blocks. The method involves storing multiple data access rules in a memory of a data storage device, where each rule specifies either one or more data files or a sector/block range and includes two authentication factors and a time range. When a host device sends a data action request (e.g., read, write) to the storage device, the host controller identifies the applicable rule based on the affected data item. The controller then requests authentication using the first and second factors specified in the rule. If both authentications succeed and the request falls within the allowed time range, the controller executes the data command. This approach ensures that data access is restricted by both multi-factor authentication and temporal constraints, enhancing security for sensitive data. The method is particularly useful in environments where unauthorized access to specific files or storage regions must be prevented, such as in enterprise or government systems. The invention automates enforcement of access policies at the storage device level, reducing reliance on higher-level software controls.
2. The method of claim 1 , wherein the first authentication factor requires a user of the computing system to input a known data value into the computing system, and the second authentication factor requires presence of a security device interfaced with the computing system.
This invention relates to multi-factor authentication systems for computing devices. The problem addressed is the need for secure yet user-friendly authentication methods that prevent unauthorized access while minimizing inconvenience. The solution involves a two-factor authentication process where the first factor requires the user to input a known data value, such as a password or PIN, into the computing system. The second factor requires the physical presence of a security device, such as a hardware token or smart card, that must be interfaced with the computing system. This ensures that authentication cannot be completed without both the correct data input and the authorized security device, enhancing security by requiring something the user knows and something the user possesses. The system may include additional features, such as verifying the security device's authenticity or ensuring the data value matches a stored reference. This approach mitigates risks like password theft or unauthorized device access, providing robust protection for sensitive computing environments.
3. The method of claim 2 , wherein the first authentication factor utilizes at least one of: a password and a security code.
This invention relates to authentication systems, specifically methods for enhancing security in multi-factor authentication (MFA) processes. The problem addressed is the vulnerability of traditional authentication systems to attacks such as phishing, credential stuffing, and brute-force attempts, which often exploit weak or single-factor authentication mechanisms. The invention describes a multi-factor authentication method where a user is required to provide at least two distinct authentication factors to verify their identity. The first authentication factor involves the use of either a password or a security code, which are common but potentially vulnerable credentials. The second authentication factor is not explicitly detailed in this claim but is implied to be a different type of authentication factor, such as a biometric scan, a hardware token, or a one-time passcode (OTP) sent to a registered device. The system processes these factors sequentially or simultaneously to determine whether the user is authorized to access a protected resource. By combining at least two authentication factors, the method reduces the risk of unauthorized access compared to single-factor systems. The use of a password or security code as the first factor ensures compatibility with existing authentication infrastructures, while the second factor adds an additional layer of security. This approach is particularly useful in applications requiring high-security access, such as financial transactions, healthcare systems, or enterprise networks. The invention aims to balance usability and security by leveraging familiar credentials while introducing stronger authentication mechanisms.
4. The method of claim 2 , wherein the security device is one of: a security dongle and a biometric scanner.
A security system enhances access control by integrating a security device with a computing system. The system includes a computing device with a processor and a memory storing executable instructions. The security device, which can be a security dongle or a biometric scanner, is communicatively coupled to the computing device. The security device generates a security token upon successful authentication, which the computing device verifies before granting access to a protected resource. The system ensures secure access by requiring the security device to be physically present or to perform a biometric verification, preventing unauthorized access. The security token is generated based on a cryptographic key stored in the security device, ensuring that only authorized devices can produce valid tokens. The computing device validates the token using a corresponding key, confirming the device's authenticity. This method improves security by combining physical or biometric authentication with cryptographic verification, reducing the risk of unauthorized access to sensitive resources. The system is particularly useful in environments where high-security access control is required, such as financial institutions, government facilities, or enterprise networks.
5. The method of claim 1 , wherein the time range included in the applicable data access rule includes at least one of: time of day, day of week, and day of month.
Technical Summary: This invention relates to data access control systems, specifically methods for defining and enforcing time-based restrictions on data access. The problem addressed is the need for granular control over when users or systems can access certain data, beyond simple binary permissions. The method involves implementing data access rules that incorporate specific time ranges. These time ranges can be defined using one or more of the following temporal parameters: time of day, day of the week, or day of the month. For example, a rule might allow access only between 9 AM and 5 PM on weekdays, or only on the first day of each month. This enables organizations to restrict data access during sensitive periods, comply with regulatory requirements, or align access patterns with business operations. The system evaluates these time-based rules when an access request is made, comparing the current time against the defined parameters to determine whether access should be granted. This approach provides more flexible and context-aware access control compared to traditional methods that lack temporal constraints. The invention is particularly useful in environments where data sensitivity varies based on temporal factors, such as financial systems during reporting periods or healthcare systems during patient care hours.
6. A system for controlling data access, comprising: a computing system including a data storage device; the data storage device including a host controller and storing a plurality of data access rules, wherein each data access rule specifies (i) one or more data files, or (ii) a sector/block range of the data storage device and includes a first authentication factor, a second authentication factor, and a time range; and the host controller configured to receive a data action request from a host device in the computing system, the data action request including a data command and an affected data item, identify an applicable data access rule based on the affected data item as matching the one or more data files included in the applicable data access rule or being stored in the sector/block range included in the applicable data access rule, transmit a first request for authentication using the first authentication factor in the applicable data access rule, transmit a second request for authentication using the second authentication factor in the applicable data access rule; receive a first response to the first request for authentication indicating successful authentication and a second response to the second request for authentication indicating successful authentication; determine compliance with the applicable data access rule based on the received first response, the received second response, and receipt of the data action request during the time range included in the applicable data access rule, and execute the data command included in the data action request.
The system controls data access in a computing system by enforcing granular access rules tied to specific data files or storage sectors/blocks. The system includes a data storage device with a host controller and a set of predefined access rules. Each rule specifies either one or more data files or a sector/block range on the storage device, along with two authentication factors and a time range during which access is permitted. When a host device submits a data action request (e.g., read, write, delete) targeting a specific data item, the host controller identifies the applicable rule by matching the affected data item to the files or storage range defined in the rule. The system then initiates a two-factor authentication process, requiring successful validation of both factors before proceeding. Additionally, the request must be received within the specified time range. If all conditions are met, the requested data action is executed. This approach ensures secure, time-bound access to specific data segments, preventing unauthorized or out-of-scope operations. The system dynamically enforces access policies at the storage level, reducing reliance on higher-layer security mechanisms.
7. The system of claim 6 , wherein the first authentication factor requires a user of the computing system to input a known data value into the computing system, and the second authentication factor requires presence of a security device interfaced with the computing system.
This invention relates to a multi-factor authentication system for computing systems, addressing the need for enhanced security beyond single-factor authentication methods. The system requires two distinct authentication factors to verify user identity. The first factor involves the user inputting a known data value, such as a password or PIN, into the computing system. The second factor requires the physical presence of a security device, such as a hardware token or smart card, interfaced with the computing system. The security device may communicate with the system via wired or wireless means to provide an additional layer of verification. This dual-factor approach ensures that unauthorized access is more difficult, as an attacker would need both the known data value and physical access to the security device. The system may be integrated into various computing environments, including personal computers, servers, or mobile devices, to strengthen security protocols. The combination of knowledge-based and possession-based authentication factors provides a robust defense against unauthorized access attempts.
8. The system of claim 7 , wherein the first authentication factor utilizes at least one of: a password and a security code.
A system for secure authentication in digital environments addresses the problem of unauthorized access by implementing multi-factor authentication (MFA). The system enhances security by requiring multiple independent verification steps before granting access to a user. One of these steps involves a first authentication factor, which can include either a password or a security code. The password is a secret string known only to the user, while the security code may be a one-time passcode (OTP) generated by an authenticator app, sent via SMS, or derived from a hardware token. This factor is combined with at least one additional authentication factor, such as biometric verification (e.g., fingerprint or facial recognition) or a physical security key, to ensure robust protection against unauthorized access. The system dynamically verifies the user's identity by cross-checking the provided credentials against stored or dynamically generated values, reducing the risk of credential theft or brute-force attacks. The use of multiple authentication methods increases security without significantly compromising user convenience, making it suitable for applications requiring high-security access control, such as financial services, enterprise systems, or sensitive data repositories.
9. The system of claim 7 , wherein the security device is one of: a security dongle and a biometric scanner.
A system for enhancing security in electronic devices includes a security device that authenticates users before granting access to the device. The security device can be a security dongle, which is a physical hardware token that connects to the device and verifies user credentials, or a biometric scanner, which uses unique biological characteristics such as fingerprints or facial recognition to authenticate users. The security device communicates with the electronic device to validate the user's identity before allowing access to sensitive functions or data. This system ensures that only authorized users can operate the device, preventing unauthorized access and enhancing overall security. The security device may also include additional features such as encryption or secure storage to further protect user data. The system is particularly useful in environments where high security is required, such as financial transactions, government applications, or corporate networks. By integrating the security device with the electronic device, the system provides a robust and flexible authentication mechanism that can be adapted to different security needs.
10. The system of claim 6 , wherein the time range included in the applicable data access rule includes at least one of: time of day, day of week, and day of month.
A system for managing data access rules includes a rule engine that evaluates access requests based on predefined criteria. The system determines whether a user or application has permission to access specific data by checking the applicable data access rules. These rules can include conditions related to the time of day, day of the week, or day of the month. The rule engine processes these time-based conditions to enforce access restrictions dynamically. For example, a rule may allow access only during business hours, on specific weekdays, or within certain calendar dates. The system ensures that data access complies with organizational policies or regulatory requirements by applying these time-based constraints. This approach enhances security and compliance by restricting access to sensitive data outside permitted time frames. The system may also integrate with authentication mechanisms to verify user identities before applying the rules. By incorporating time-based conditions, the system provides granular control over data access, reducing the risk of unauthorized or untimely data exposure.
Unknown
October 8, 2019
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.